Hello Michael,
Tuesday, June 06, 2000, 8:58:12 PM, you wrote:
MAG> I agree with Mike Salim on all the points he has raised, and I am requesting
MAG> that the Perl wizards at OpenSRS address Mike's last point immediately:
MAG> At 10:45 PM 6/6/00 -0400, A. M. Salim wrote:
>>6. Notification emails must *NEVER* carry credit card numbers in
>>plaintext as they currently do. Notification emails must always be
>>encrypted. PGP is probably the easiest choice (gpg) but any secure
>>encryption will work for me as long as I am provided with a mechanism to
>>readily decrypt the email.
MAG> Considering that our websites are already using encryption, how difficult would
MAG> it be to encrypt the CC numbers? Also, how would we decrypt them at our end?
MAG> I expect that PGP is superior to Blowfish and the other encryption Perl modules
MAG> we use, but it certainly would be better than plain text.
MAG> How about an immediate fix on that?
Isn't this stuff issues on the RSP's side, and not OpenSRS's?
It would be trivial to implement GPG encryption of the email that is
sent to the admin (that can be decrypted with PGP or GPG on the
admin's machine), or to store that data in a database on the server
where the admin can access it over a SSL web based interface.
How a particular RSP does this is an internal matter for them, isn't
it?
I remember seeing someone post here some months ago about a hack to a
previous version of the code where they had added GPG encrypting of
the email. I'm sure that code and be taken and added into the current
version for those who need it.
-- Best regards, William mailto:william@userfriendly.com
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:36 EDT